Linux Passive FTP Not Working Problem And Solution

Q. I’m running GNU/Linux system with FTP server and passive ftp client requests are not working. What can I do to fix this problem under Linux iptables Firewall?A. An ftp connection also needs a data transfer channel using active or passive session.

Make sure firewall is not blocking your FTP session. If ports are open make sure IPtables is allowing passive ftp. To solve this problem add ip_conntrack_ftp module. Type the following command to load this module:# modprobe ip_conntrack_ftp

Iptables passive ftp rules

Same iptables firewall script to deal with incoming ftp requests including Active and Passive connections.

Your FTP line is clearly wrong, I don’t even know how it would work for anyone.First: you are accepting INPUT connection on the SOURCE port 21: $IPT -A INPUT -p tcp –sport 21 -m state –state ESTABLISHED -j ACCEPT

I would like to see an ftp client that tries to reach your server FROM the port 21. Of course it should be the DESTINATION port that is 21 (so change –sport to –dport). A simple ftp connection to a server throws error (when applying your rule): IN=eth0 OUT= MAC=00:xx:xx:xx:f2:e0:00:1f:9e:aa:39:00:08:00 SRC=xxx.228.xxx.120 DST=80.xxx.168.xxx LEN=52 TOS=0x00 PREC=0x00 TTL=122 ID=11054 DF PROTO=TCP SPT=23083 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0 You can clearly see, that the client tries to knock on port 21, and that is DPT.

Second: even if we change –sport & –dport as they should be, you are allowing only ESTABLISHED connection from the INPUT. This means that you are not accepting NEW connection. Which means no FTP at all. So correcting the rules for the Active FTP: iptables -A INPUT -p tcp –dport 21 -m state –state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp –sport 21 -m state –state ESTABLISHED -j ACCEPT